The Pre-login URL

The pre-login process is the entry point for applications participating
in Liberty-based single sign-on. As described in Process of Federation, the principal would be redirected to
the location defined by the pre-login URL if no Access Manager session token
is found. This default process, though, can be modified based on the
values of query parameters passed to Access Manager by the service provider
via a URL.

A query parameter is a name/value pair
appended to the end of a URL. The parameter starts with a question
mark (?) and takes the form name=value. A number of parameters can be combined
in one URL; when more than one parameter exists, they are separated
by an ampersand (&). Use the format http://hostname:port/deploy-uri/preLogin?metaAlias=metaAlias. Additional parameters are appended
to the URL as &param1=value1&param2=value2 and so on. These parameters and their usage
and values are described in the following table.

Table 3–1 Pre-login URL Parameters for
Federation

Parameter

Description

actionOnNoFedCookie

The actionOnNoFedCookie parameter provides
the flexibility to redirect a user when the fedCookie is
not present in the browser, and when there is only one identity provider.
It takes the following values:

commonlogin will redirect to a
common login page.

locallogin will redirect to the
local Access Manager login page.

passive will issue a request to
the identity provider by setting the isPassive parameter
of the AuthnRequest element to true.

active will issue a normal single
sign-on request to the identity provider.

anonymousOnetime

The anonymousOnetime parameter can be used
by service providers that authenticate users with anonymous, one time
federation sessions. A value of true enables the
service provider to issue a one time federation request and generate
an anonymous session after successful verification of the authentication
assertion from the identity provider. This feature is useful when
the service provider doesn't have a user repository (for example, http://www.weather.com) but would like to depend on an identity
provider for authentication. When the service provider receives a
successful authentication assertion from an identity provider, they
would generate an anonymous, temporary session.

authlevel

The authlevel parameter takes as a value
a positive number that maps to an authentication level defined in
the Access Manager Authentication Framework. The authentication level indicates
how much to trust a method of authentication.

In this framework, each service provider is configured with
a default authentication context (preferred method of authentication).
However, the provider might like to change the assigned authentication
context to one that is based on the defined authentication level.
For example, provider B would like to generate a local session with
an authentication level of 3 so it requests the identity provider
to authenticate the user with an authentication context assigned that
level. The value of this query parameter determines the authentication
context to be used by the identity provider.

goto

The goto parameter takes as a value a URL
to which the principal will be redirected after a successful SSO.
If the value is not specified, default redirection will occur based
on the value of the Provider Home Page URL attribute defined in the
service provider configuration. The value of this URL can be configured
by changing the iplanet-am-provider-homepage-url attribute
in the amProviderConfig.xml file.

gotoOnFedCookieNo

The gotoOnFedCookieNo parameter takes as
a value a URL to which the principal is redirected if a fedCookie with a value of no is found. The default
behavior is to redirect the user to the Access Manager login page.

In order to modify the pre-login URL, edit the relevant properties
in either the AMConfig.properties file or the AMAgent.properties file, dependant on your deployment.
See the following procedures for more information:

To Configure for Pre-login

In a federation setup, Access Manager acts as a service provider and manages
an application that runs on a separate instance of Sun Java System Web Server. You
must configure the agent that is protecting this application as follows:

Point the com.sun.am.policy.loginURL property
in the AMAgent.properties file to the pre-login
service URL running on Access Manager.